CVE-2014-0167

Priority
Low
Description
The Nova EC2 API security group implementation in OpenStack Compute (Nova)
2013.1 before 2013.2.4 and icehouse before icehouse-rc2 does not enforce
RBAC policies for (1) add_rules, (2) remove_rules, (3) destroy, and other
unspecified methods in compute/api.py when using non-default policies,
which allows remote authenticated users to gain privileges via these API
requests.
References
Bugs
Notes
jdstrand> requires site-specific changes to /etc/nova/policy.json
jdstrand> Fix for 13.10 in saucy-updates and needs a rebuild for
saucy-security
jdstrand> This was split out during Grizzly and does not affect Folsom and
earlier
Assigned-to
jdstrand
Package
Source: nova (LP Ubuntu Debian)
Upstream:released (2013.2.3-1, 2014.1)
Ubuntu 10.04 LTS (Lucid Lynx):DNE
Ubuntu 12.04 LTS (Precise Pangolin):not-affected
Ubuntu 13.10 (Saucy Salamander):released (1:2013.2.3-0ubuntu1.2)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (1:2014.1-0ubuntu1)
Ubuntu 14.10 (Utopic Unicorn):not-affected (1:2014.1-0ubuntu1)
More Information

Valid XHTML 1.0 Strict

Updated: 2014-06-17 23:14:35 UTC (commit 8156)